Brokerage data deserves enterprise discipline.

Compliance is the leading source of regulatory risk in real estate outreach and referral. REHL enforces the standards listed below as hard rules in code at the send and referral path — not as policy that depends on a person remembering. Until a given channel is live, the gate is enforced by the absence of any send-path at all.

• TCPA & CAN-SPAM. Telephone Consumer Protection Act (SMS, voice) and the CAN-SPAM Act (email) define what counts as lawful outreach in the United States. REHL refuses to dispatch any message without an on-file consent record naming channel, source, timestamp, IP, user-agent, and exact disclosure text. No record, no send.
• RESPA Section 8. The Real Estate Settlement Procedures Act limits how settlement-service partners (lenders, attorneys, inspectors, insurance, title) can be referred and compensated. REHL's partner substrate is designed to record every referral and its commercial terms in structured form, so each program can be reviewed against RESPA Section 8 + applicable state rules before it goes live. Final terms for any settlement-service partnership are gated on counsel review.
• State real-estate-commission rules. FL, WA, and OK have the strictest consent rules in our launch footprint — REHL applies confirmed double opt-in on SMS as the hard default in those states. State-specific referral, disclosure, and licensing constraints are honored on a per-brokerage basis.
• Consumer privacy (GDPR / CCPA / CPRA). Consumers can request the data REHL holds on them, correct it, or have it deleted. We honor opt-outs from sale or sharing where applicable. Marketing consent on the consumer site is captured at the moment it's given, with the exact disclosure text and timestamp on record.
• Suppression + quiet hours. STOP / UNSUBSCRIBE / QUIT / CANCEL / END / OPTOUT on SMS are honored within seconds. Email carries industry-standard one-click unsubscribe handling per RFC 8058. SMS only sends between 8am–9pm in the recipient's local time zone. Carrier registration (A2P 10DLC) is mandatory before any brokerage's SMS goes live — enforced in code, not as a checklist.
• MLS Data License Agreement compliance. Listing data flows exclusively through licensed RESO Web API feeds under each brokerage's MLS Data License Agreement. We don't scrape Zillow, Realtor.com, Redfin, or the MLS itself. Ever.
• Append-only audit log. Every outbound message creates a record — recipient, rendered content, the consent it ran under, a unique identifier — and the audit-relevant fields on that record are write-once: a database trigger rejects any update that would touch the recipient, content, or consent reference after the row is written. Records are queryable for any compliance inquiry your brokerage receives. Cryptographic tamper-evidence (hash chaining / signed records) is on the roadmap; we won't claim it today.

Implementation status, plainly: consent capture, the partner-referral substrate, and the send-gate that authorizes each outbound message are live in code today. The Postmark email-dispatch wiring that runs messages through the gate is shipping channel-by-channel per brokerage; SMS dispatch follows once A2P 10DLC registration completes. Until the corresponding pipe is live for a given brokerage, the gate is enforced by the absence of any send-path at all. When messages do flow, every send runs through every gate above before it leaves the platform.

REHL ships as two separate products that share one back end: app.rehl.us for brokerage users and rehl.us for consumers. The consumer-facing site never touches the brokerage CRM directly — a separate, hardened service sits in between, with a deliberately narrow surface area and no privileged operations exposed.

• Narrow public surface. The consumer site can request only the things consumers are allowed to do: browse active listings, save listings, manage alerts, request an agent. No administrative endpoints exist on the consumer-facing service.
• No cross-consumer reads. Even a forged identifier in a request can't pull another consumer's saved data — isolation is enforced at the data layer, not the application. Session security (short-lived tokens, secure-cookie flags, anomaly detection on the identity provider) is a separate, layered defense.
• Signature-verified inbound integrations. Every webhook from messaging, e-sign, billing, and MLS partners is signature-verified before it touches our data, stored raw for audit, and processed asynchronously so a downstream failure can be replayed cleanly.
• Idempotent outbound calls. Every outbound message, payment, and contract dispatch carries an idempotency key. A retried operation can't charge twice, send the same email twice, or duplicate an agreement.
• Structured, auditable logging. Every relevant operation is logged with enough context for audit, none of it sensitive. Exceptions are captured by an industry-standard error-monitoring service; sensitive fields never enter the error stream.